On Friday, Cisco published a high level security advisory CVE-2016-6415 for an IKEv1 Information Disclosure Vulnerability that affects multiple Cisco products including: Cisco IOS, Cisco IOS XR, and Cisco IOS XE. The vulnerability is in the IKEv1 packet processing code which could allow an unauthenticated remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

According to Cisco:

The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Cisco IOS XR Software

If you’re on 5.3.x or higher of the Cisco IOS XR software then you’re not vulnerable to this attack. If you’re running a lower version, you’ll want to apply Cisco’s patch as soon as its available.

Cisco IOS XE Software

Unfortunately, if you’re running any version of the Cisco IOS XE software then you’re vulnerable to this attack.

Cisco IOS Software

Given that there are so many different versions of the Cisco IOS software, please check the Cisco Security Advisory to see if your specific version is vulnerable.

Where is IKEv1 Used?

A number of features use IKEv1, including different Virtual Private Networks (VPN) such as:

LAN-to-LAN VPN

Remote access VPN (excluding SSLVPN)

Dynamic Multipoint VPN (DMVPN)

Group Domain of Interpretation (GDOI)

The preferred method to determine if a device has been configured for IKE is to issue the show ip sockets or show udp EXEC command. If the device has UDP port 500, UDP port 4500, UDP port 848, or UDP port 4848 open, it is processing IKE packets. On a Cisco IOS device, you can use this command to view anything configured to use IKE: show run | include crypto map|tunnel protection ipsec|crypto gdoi

You can use the show version command to view the current Cisco IOS software version number installed on your devices.